Securing Real-Time Microcontroller Systems Through Customized Memory View Switching

Securing Real-Time Microcontroller Systems Through Customized Memory View Switching

Securing Real-Time Microcontroller Systems through Customized Memory View Switching Chung Hwan Kim∗x Taegyu Kimy Hongjun Choiy Zhongshu Guz Byoungyoung Leey Xiangyu Zhangy Dongyan Xuy ∗NEC Laboratories America yPurdue University zIBM T.J. Watson Research Center ∗[email protected] y{tgkim, choi293, byoungyoung, xyzhang, dxu}@purdue.edu [email protected] Abstract—Real-time microcontrollers have been widely Among computer systems security methods, memory iso- adopted in cyber-physical systems that require both real-time and lation is one of the most common and effective techniques. security guarantees. Unfortunately, security is sometimes traded In this paper, we focus on the following two general and for real-time performance in such systems. Notably, memory popular memory isolation techniques: process and kernel isolation, which is one of the most established security features memory isolation. Process memory isolation isolates each in modern computer systems, is typically not available in many process’s virtual memory space from other processes. Due to real-time microcontroller systems due to its negative impacts on performance and violation of real-time constraints. As such, the this restricted memory accessibility, it is difficult for an attacker memory space of these systems has created an open, monolithic to launch memory corruption attacks to other processes from a attack surface that attackers can target to subvert the entire victim process that he or she has already compromised. Kernel systems. In this paper, we present MINION, a security architecture memory isolation separates kernel memory space from a user that intends to virtually partition the memory space and enforce process context via privilege separation, rendering privilege memory access control of a real-time microcontroller. MINION escalation attacks difficult to perform by exploiting memory can automatically identify the reachable memory regions of real- corruption issues in the kernel (i.e., illegally acquiring the kernel time processes through off-line static analysis on the system’s execution context from the user execution context). These two firmware and conduct run-time memory access control through memory isolation techniques constitute the fundamental security hardware-based enforcement. Our evaluation results demonstrate principle, the principle of least privilege, preventing an attacker that, by significantly reducing the memory space that each process can access, MINION can effectively protect a microcontroller from subverting the entire system even if he or she successfully from various attacks that were previously viable. In addition, compromised a subset of the system. unlike conventional memory isolation mechanisms that might incur substantial performance overhead, the lightweight design However, it is challenging for real-time MCS to support of MINION is able to maintain the real-time properties of the such memory isolation in practice [31], due to hardware and microcontroller. performance constraints [11]. According to our survey of 67 commodity real-time MCS, none of them is designed to employ process memory isolation or kernel memory isolation. Table I I. INTRODUCTION summarizes the results of our survey of various types of real- A microcontroller is a small computer that contains a proces- time MCS including unmanned aerial vehicle (UAV), unmanned sor, memory, and various input/output (I/O) peripherals. Among ground vehicle (UGV), remotely operated underwater vehicle various types of embedded systems based on microcontrollers, (ROV), real-time 3D printer, and real-time Internet of Things real-time microcontroller systems (MCS) are designed to meet (IoT) devices. Process memory isolation through virtual memory the deadline constraints of the real-time processes that run is not supported, because they are built on hardware that does atop. The primary goal of a real-time MCS is not for high not provide a memory management unit (MMU). Also, kernel throughput, but for the responsiveness—any failure to meet the memory isolation is not employed due to its negative impact response deadline may lead to non-trivial safety impacts. In on real-time performance induced by frequent privilege mode fact, many cyber-physical/embedded systems today are relying switching (between kernel and user modes). In fact, several on real-time MCS: for example, manned and unmanned vehicle RTOSs [14], [20], [22] running on real-time MCS optionally systems, rocket and satellite systems, robot control systems, supports kernel memory isolation, but it is often turned off and real-time health-care systems. Unfortunately, we note that in practice as it tends to violate the real-time constraints, as the security of real-time MCS has not yet received enough shown in our study (§II-C). attention although real security threats [12], [27], [32], [33], [39], [51] have increasingly been reported. Without strong memory isolation, MCS expose a large attack surface to attackers. More precisely, without virtual xWork conducted when he was a Ph.D. student at Purdue University. memory support, these systems simply layout everything into a single memory space (illustrated in Fig. 1). Non-volatile and volatile memory, such as a flash ROM and an on-chip SRAM, are hard-wired to fixed locations, and peripheral devices are Network and Distributed Systems Security (NDSS) Symposium 2018 mapped to specific areas of the memory space through memory- 18-21 February 2018, San Diego, CA, USA mapped I/O (MMIO). In addition, all software modules, such as ISBN 1-1891562-49-5 applications, libraries, device drivers, and the OS, are executed http://dx.doi.org/10.14722/ndss.2018.23107 in the same privilege mode (i.e., the privileged mode) and www.ndss-symposium.org have access to the entire shared memory space. This makes the memory space a large attack surface open to attackers who TABLE I. AVAILABILITY OF PROCESS AND KERNEL MEMORY Per Process: ISOLATION IN COMMODITY REAL-TIME MCS. P :PROCESS MEMORY RTOS P1 P2 … ISOLATION SUPPORT. K:KERNEL MEMORY ISOLATION SUPPORT. Memory View Unpriv. # of Type RTOSs Manufacturers P K MCS NuttX 3DR, enRoute, Virtual Robotix, ... 18 7 7 MPU UAV FreeRTOS Storm Racing Drone, RISE 30 7 7 View Switcher ChibiOS Parrot 6 7 7 UGV NuttX Erie Robotics, HobbyKing 2 7 7 ROV NuttX, OpenROV BlueRobotics, OpenROV 2 7 7 Privileged 3D Printer Marlin D-creator, BQ WitBox, Wombot, ... 7 7 7 IoT FreeRTOS Mongoose, Particle 2 7 7 Memory View : Memory View Boundary Enforcement : Direct Memory Access Shared Memory Space Fig. 2. Overall architecture of MINION. All Code All Data (OS, (Global, Drivers, … … Stack, memory view switching mechanism for memory isolation, which Libraries, Heap) System Apps) avoids frequent privilege mode switching. Fig. 2 illustrates the Boot Loader Peripherals Peripherals Control/Timer Interrupt Vector Interrupt overall architecture. The workflow of MINION consists of the Flash ROM SRAM Devices following three tasks. First, MINION captures the approximated minimum set of memory regions essential to correctly operate Fig. 1. Memory space layout of real-time MCS. each process. MINION performs a conservative static program analysis based on points-to analysis, which comprehensively considers all memory types in real-time MCS (i.e., code, data, could successfully compromise any of the software modules by and peripheral-mapped memory). Next, MINION constructs a exploiting a memory corruption vulnerability in real-time MCS, per-process memory view by assembling the previous analysis as demonstrated in previous incidents [1]–[4], [40], [49]. For results. To overcome the limitation of current memory protec- instance, an attacker may exploit a buffer overflow vulnerability tion hardware in real-time MCS, MINION performs a clustering in a telnet server through Wi-Fi in a UAV [40] and navigate analysis, tailoring the memory views to be compatible with through the memory space to corrupt critical software and the underlying hardware mechanism. Finally, MINION enforces hardware components, such as the flight control program and memory isolation based on the tailored per-process memory actuators, to maliciously operate the vehicle. For such systems, view using the view switcher. The view switcher is the only any vulnerable software module becomes an “Achilles heel” of trusted computing base (TCB) that runs in the privileged mode, the entire system. Compromising one of the software modules and it is isolated from the RTOS and processes running in the is equivalent to taking over the whole system, including both unprivileged mode. the software stack and its associated physical and networking components. The unique architecture of MINION allows the target real- time MCS to meet both security and real-time requirements. Although there have been extensive research efforts to With respect to satisfying real-time constraints, the RTOS and provide isolation to programs in embedded devices [21], [28], processes can avoid expensive privilege mode switching while [42], [48], [52], they have limitations in achieving both real- interacting with each other through direct memory access, as time performance and memory isolation. Most of them require MINION simply runs them in the same (unprivileged) processor manual efforts to identify which subject can access what mode. In terms of security guarantees, since each process’s memory regions, because it is difficult to accurately identify the memory accessibility is strictly limited to its own memory view memory boundaries between processes in the shared,

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    15 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us